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ABSTRACT 


A  knowledge-based  flight  control  system  capable  of  detecting,  identify¬ 
ing,  and  reconfiguring  for  a  wide  range  of  aircraft  failures  has  been 
designed.  Combining  modern  control  theory,  statistical  hypothesis  test¬ 
ing,  and  artificial  intelligence  techniques,  this  research  addresses  the 
question  of  whether  or  not  an  "intelligent"  computer  could  assist  a  pilot 
during  a  failure.  Analytical  redundancy  techniques,  including  a  Gener¬ 
alized  Likelihood  test,  are  used  for  failure  detection.  Failure  diagnosis 
is  performed  by  an  expert  system.  Utilizing  knowledge  of  cause-and- 
effect  relationships  between  all  aircraft  components  and  the  statistical 
results  of  a  Multiple-Model  algorithm,  the  expert  system  decides  which 
aircraft  component  has  failed  and  how  to  reconfigure  for  the  failure. 
Preliminary  tests  on  an  8-bit  microprocessor  system  were  conducted  and 
are  summarized,  and  plans  to  expand  to  a  16-bit  multi-microprocessor 
system  are  outlined.  .  V' .  yT 
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1.  INTRODUCTION 


As  machines  become  more  complicated,  the  possibility  of  system  fail¬ 
ures  increases.  Component  failures  can  have  disasterous  effects  on  the 
operation  of  any  system,  but  in  the  case  of  aircraft,  the  consequences 
of  such  an  event  can  include  failure  to  complete  the  mission,  massive 
property  damage,  and  loss  of  life.  The  goal  of  this  research  effort  is 
to  identify  control  system  architectures  that  will  enhance  the  ability  of 
present  and  future  aircraft  to  accomodate  failures.  What  separates  this 
research  from  previous  efforts  in  aircraft  failure  detection,  identifica¬ 
tion,  and  reconfiguration  (FDIR)  is  the  desire  to  accomodate  an  ex¬ 
panded  range  of  system  failures,  including  not  only  control  system  com¬ 
ponents  but  elements  of  the  aircraft  itself.  Techniques  of  artificial 
intelligence  theory  are  employed  along  with  statistical  hypothesis  testing 
and  modern  control  theory  in  accomplishing  this  task. 

2.  TRENDS  IN  AIRCRAFT  FAILURE  ACCOMODATION 

Failure  accomodation  has  long  been  a  primary  concern  of  aircraft 
designers.  Consequently,  trends  in  aircraft  FDIR  techniques  closely 
follow  trends  in  aircraft  design.  The  Wright  brothers  designed  their 
aircraft  with  the  belief  that  the  pilot  should  have  maximum  authority 
over  its  motion.  Unfortunately,  this  high  degree  of  maneuverability  re¬ 
sulted  in  marginal  static  stability  requiring  execessive  pilot  effort.  In 
later  years,  increased  stability  and  autopilots  helped  reduce  pilot  work¬ 
load.  In  order  to  reduce  the  likelihood  of  catastrophic  failures,  aircraft 


were  designed  with  large  safety  margins.  It  was  hoped  that  the  air¬ 
craft  would  degrade  gracefully  and  "limp  home"  in  the  event  of  a  fail¬ 
ure.  However,  failure  accomodation  became  more  complicated  when  the 
desire  to  carry  large  payloads  emerged.  The  introduction  of  hydraulics 
into  the  control  loop  marked  the  first  step  in  separating  the  pilot  from 
the  control  surfaces,  and  this  required  redundancies  to  avoid  crippling 
failures  of  the  primary  flight  control  system. 

Recent  design  developments  affect  both  the  operational  cost  and  ma¬ 
neuverability  of  modern  aircraft.  Active  controls  permit  smaller  tail 
surface  area,  resulting  in  lower  fuel  consumption.  Fly-by-wire  control 
systems  help  integrate  stability  augmentation,  command  augmentation, 
autopilot,  and  trim  subsystems.  The  combination  of  the  two  allow  in¬ 
creased  maneuverability  and  the  possibility  of  reconfiguration.  How¬ 
ever,  the  cost  and  weight  penalities  incurred  by  the  required  redun¬ 
dancies  (i.e.  duplex,  triplex,  or  even  quadruplex  sensors  or  actuators) 
often  prohibit  the  use  of  such  systems. 

The  cost  and  weight  savings  that  can  be  afforded  by  a  reduction  of 
these  redundancies  point  to  the  need  for  reliable  failure  detection  and 
identification  (FDI)  methods.  Figure  1  shows  some  of  the  trade-offs  in¬ 
volved  in  sensor  FDI.  The  easiest  way  to  detect  and  identify  a  sensor 
failure  is  to  compare  three  sensors  which  measure  the  same  quantity. 
Such  a  triplex  system  can  be  very  expensive,  however.  In  the  less 
expensive  duplex  system,  a  failure  is  easy  to  detect  but  hard  to  identi¬ 
fy.  Additionally,  functional  redundancy  between  unique  sensors  can  be 
exploited  to  further  reduce  costs.  For  example,  a  rate  gyro  and  an 
accelerometer  can  each  provide  pitch  rate  information;  therefore,  the 


signals  can  be  compared  to  detect  a  failure  in  one  of  the  two  compo¬ 
nents. 


Although  seemingly  straightforward,  these  FDI  techniques  can  run 
into  problems.  Consider  a  triplex  system  where  two  of  the  sensors  are 


powered  from  one  electrical  source  and  the  third  sensor  from  a  different 


source.  If  the  triplex  FDI  scheme  identified  a  failure  by  singling  out 
the  one  sensor  which  differed  from  the  other  two,  a  power  failure  to 
the  first  two  sensors  would  be  misconstrued  as  a  failure  of  the  third. 
This  brings  up  the  need  for  the  incorporation  of  intelligence  in  the 
failure  diagnosis  process,  an  intelligence  that  will  recognize  when  such 
’’higher-order"  relation's  among  different  elements  of  the  aircraft  exist. 
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How  have  these  basic  techniques  been  used  in  existing  aircraft? 
Table  1  gives  a  sampling  of  aircraft  (two  military,  one  research,  and 
one  civil)  which  depend  on  these  techniques  to  handle  sensor  and  actu¬ 


ator  failures,  as  described  in  (1,2). 


TABLE  1 

Trends  in  Aircraft  Failure  Accomodation 


AIRCRAFT 

•  SAAB  VIG6EN  JA37 

1st  MILITARY  AIRCRAFT  IN 
SERIES  PRODUCTION  AND 
FIELD  SERVICE  WITH  DIGITAL 
AUTOMATIC  FCS 


•  GENERAL  DYNAMICS  F-16 
ANALOG  FLY-BY-WIRE 

v.  •  NASA  F-8  DFBW 

FULL  AUTHORITY  DFBW  CONTROL 
WITHOUT  MECHANICAL 
REVERSION  (ANALOG  BACKUP) 


•  SPACE  SHUTTLE  ORBITER 
FULL  AUTHORITY  DFBW 
CONTROL  WITHOUT 
MECHANICAL  REVERSION 


FDIR  METHOD 


SENSORS 

DUPLEX/ 

COMPARISON 


QUADRUPLEX/ 

COMPARISON 

TRIPLEX/ 

COMPARISON 

DUPLEX/ 

ANALYTICAL  RED. 
(STATISTICAL  TESTING) 

HARDWARE  AND 
ANALYTICAL  RED. 


ACTUATORS 

SIMPLEX/ 

ANALYTICAL  RED. 
(SERVO  MODEL)  WITH 
REVERSION  TO  TRIM 
POSITION 

QUADRUPLEX 


TRIPLEX 


I 


HARDWARE  AND 
ANALYTICAL  RED. 
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3.  MOTIVATION  FOR  RESEARCH 


The  sampling  of  fatal  air  carrier  accidents  shown  in  Table  2  pro¬ 
vides  an  indication  of  failure  types  that  must  be  considered.  As  illus¬ 
trated  by  the  three  groups,  many  accidents  appear  to  be  the  result  of 
a  misuse  of  information,  knowledge,  or  capability.  For  instance,  a  pilot 
depends  on  instruments  for  accurate  aircraft  status  information.  Inac¬ 
curate  or  partial  information  deprives  the  pilot  of  the  resources  neces¬ 
sary  to  safely  operate  the  aircraft,  leading  to  misuse  of  information. 
Similarly,  negligence  or  inexperience  on  the  part  of  the  pilot  represents 
a  misuse  of  knowledge.  Finally,  modern  jet  aircraft  have  highly  redun¬ 
dant  control  effectors.  As  a  result  it,  may  be  possible  to  counterba¬ 
lance  the  effect  of  a  failed  primary  control  effector,  such  as  an  aileron, 
with  a  secondary  control  effector,  such  as  a  trailing  edge  flap.  If  an 
aircraft  is  controllable  following  a  failure,  but  through  a  lack  of  infor¬ 
mation,  knowledge,  or  ability  the  pilot  fails  to  control  it,  this  repre¬ 
sents  a  misuse  of  capability.  Nowhere  is  this  fact  as  pronounced  as  in 
the  circumstances  surrounding  the  non-fatal  1977  Delta  Flight  1080,  in 
which  the  left  elevator  jammed  up  19  degrees  {3},  or  the  1979  American 
Airlines  DC-10  crash,  in  which  a  separated  engine  pylon  disabled  slat 
disagreement  and  stall  warning  systems  (4). 

It  is  felt  that  these  aircraft  were  still  controllable  following  their 
failures,  but  the  pilots  could  neither  recognize  nor  react  to  the  failures 
fast  enough.  The  present  research  addresses  the  question  of  whether 
or  not  an  "intelligent"  computer  could  assist  a  pilot  in  such  a  situation. 
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TABLE  2 

Fatal  Accidents  of  U.S.  Scheduled  Air  Carriers,  1961-1979 


I  nformation 

Reverse  Thrust  Warning  Light  Malfunction 

Landing  Gear  Warning  Light  Malfunction 

Loss  of  Electrical  System  to  Attitude  Instruments 

Knowledge 

Turbulence,  Airframe  Failure  in  Flight 
Hydraulic  Pressure  Loss  Uncorrected  by  Pilot 

Capability 

Hydraulic  System  Degradation 
Rudder  Support  Material  Failure 
Rudder  Control  System  Malfunction 
Flight  Control  System  Failure 
Engine  Pylon  Failure 


4.  RESEARCH  OBJECTIVES 

The  objective  of  this  research  it  to  use  artificial  intelligence  tech¬ 
niques,  along  with  statistical  hypothesis  testing  and  modern  control 
theory,  to  help  the  pilot  utilize  information,  knowledge,  and  capability 
in  the  event  of  one  or  more  failures.  An  "intelligent"  flight  control 
system  that  uses  knowledge  of  cause-and-effect  relationships  between  all 
aircraft  components  will  be  developed.  It  will  screen  the  information 
available  to  the  pilot  to  aid  in  its  interpretation,  to  supplement  the  pi¬ 
lot's  knowledge,  and  most  importantly,  to  utilize  the  remaining  flight 
capability  of  the  aircraft  following  a  failure  through  reconfiguration . 


The  types  and  modes  of  failures  that  the  system  will  be  expected  to 
handle  include  those  in  Table  3.  Failure  type  corresponds  to  the  type 
of  aircraft  element  that  has  failed.  Types  of  elements  include  sensors, 
controls,  actuators,  effectors,  and  supports.  Additionally,  structural 
failures  are  classified  according  to  where  they  occur  on  the  airframe. 
Failure  modes  pertain  to  how  the  failure  affects  the  given  element.  A 
sensor,  for  example,  can  suffer  from  bias  shift,  sticking  at  a  certain 
position,  increased  noise,  and  intermittent  operation.  By  identifying 
the  specific  mode,  a  decision  can  be  made  as  to  whether  or  not  reliable 
information  can  still  be  retrieved  from  that  sensor  following  the  failure. 
Similarly,  an  intelligent  flight  control  system  can  decide  whether  or  not 
an  actuator  or  effector  can  be  relied  upon  to  command  a  certain  control 
response  following  a  failure. 
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Failure  type 

sensor 

control 

actuator 

effector 

support 

structural 


Failure  mode 

bias 

stuck 


intermittent 


TABLE  3 


Failure  Types  and  Modes 


Examples 


pitot-static  tube 
stick,  rudder  pedals, 
throttle 

aileron  actuator, 

etevator  actuator 
aileron,  elevator 
batteries,  electrical  wires, 
hydraulic  lines 
wing  damage 


Examples 

sensor  bias  jump 
null,  hard-over 
sensor  noise  increase, 
turbulence  or 
microburst  encounter 
broken  wire 


5.  INITIAL  ASSUMPTIONS 


In  order  to  adapt  to  significant  failure-induced  changes  in  the  con¬ 
figuration  of  the  aircraft,  the  control  system  must  have  a  variable 
structure.  A  fly-by-wire  flight  control  system  can  be  reconfigured  by 
supplying  new  mathematical  models  and  gains  to  the  computer;  thus,  a 
control  system  (with  no  computer- related  failures)  of  this  form  is  as¬ 
sumed.  Note  that  the  pilot  flies  the  aircraft  via  the  flight  computer 
and  has  no  direct  link  to  the  control  surfaces.  It  is  essential,  there¬ 


fore,  that  the  flight  computer  have  the  mathematical  model  and  gains 
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corresponding  to  the  actual  aircraft  configuration.  Assuming  that  a 
failure  will  significantly  change  the  configuration,  it  will  be  the  job  of 
the  Knowledge-based  Reconfigurable  Flight  Control  System  (KRFCS)  to 
replace  the  pre-failure  model  with  the  correct  model.  The  assumption 
of  the  presence  of  a  fly-by-wire  system  is  not  unreasonable  for  the 
reasons  stated  above,  and  in  fact  it  is  hoped  that  the  results  of  this 
effort  will  help  speed  the  acceptance  of  such  systems  into  more  types  of 
aircraft. 

Previous  work  in  aircraft  FDIR  {5, 6, 7, 8, 9}  has  centered  around 
sensor  and  actuator  failures;  this  effort  will  encompass  more  complicated 
failures,  sue h  as  those  due  to  structural  damage.  The  FDIR  scheme 
will  have  to  extend  the  idea  of  functional  redundancy  to  that  of  analyt¬ 
ical  redundancy  containing  relationships  between  all  aircraft  compo¬ 
nents.  It  also  must  contain  information  about  the  effects  of  failures  on 
aircraft  behavior.  The  starting  point  will  be  the  aircraft  nonlinear 
equations  of  motion  shown  in  Appendix  A  and  described  in  (10). 

Although  these  equations  can  be  solved  by  computer,  no  closed-form 
solutions  exist;  therefore,  linearization  in  state  space  form  is  performed 
to  make  the  problem  analytically  tractable.  This  results  in  a  perturba¬ 
tion  equation  describing  aircraft  motion  about  a  nominal  trajectory. 
With  the  assumptions  of  a  fixed  sampling  interval  and  a  piecewise  con¬ 
stant  input,  a  discrete-time  sampled  data  system  is  produced.  In  order 
to  include  the  effects  of  failures  in  the  model,  deterministic  biases  and 
zero-mean,  Gaussian,  white  noise  sequences  are  included.  The  resul¬ 
tant  stochastic  dynamic  system,  which  is  an  approximation  to  the  actual 
nonlinear  aircraft  dynamics,  is  shown  in  block  diagram  form  in  Appen¬ 
dix  A. 
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Next,  a  controller  and  estimator  ore  designed  for  the  aircraft  using 
the  linear  discrete-time  model.  Note  that  the  model  corresponds  to  the 
nominal,  non-failed  aircraft.  With  no  failures,  the  closed-loop  system 
shown  in  Fig.  2  will  provide  the  pilot  with  the  resources  necessary  to 
safely  operate  the  aircraft.  If  a  failure  occurs  and  the  aircraft  config¬ 
uration  changes  significantly,  the  controller  will  have  the  wrong  gains 
for  the  present  configuration,  and  the  estimator  will  be  trying  to  pre¬ 
dict  the  behavior  of  an  aircraft  configuration  which  no  longer  exists. 
At  this  point,  the  KRFCS  must  provide  the  controller  and  estimator  with 
the  correct  numbers  to  keep  the  aircraft  flying. 


6.  ISSUES  OF  FDIR 


The  next  step  in  the  design  procedure  is  to  identify  an  intelligent 
algorithm  which  accomplishes  failure  detection,  identification,  and  reco¬ 
nfiguration  with  the  given  control  structure.  One  method  of  dealing 
with  the  problem  is  to  automate  the  procedure  a  human  observer  would 
follow  if  given  enough  time.  The  KRFCS  supervises  aircraft  behavior 
until  some  abnormality  occurs,  at  which  time  a  failure  flag  is  raised. 
The  system  then  allocates  its  resources  to  best  serve  the  problem-solv¬ 
ing  process.  This  will  be  important  if  implementation  requires  a  multi¬ 
microprocessor  environment.  Next,  the  system  tries  to  diagnose  exactly 
what  has  failed.  Concurrently,  immediate  and  temporary  measures  are 
taken  to  help  reduce  the  effect  of  the  failure  during  diagnosis.  An  ex¬ 
ample  of  such  compensation  would  be  the  deflection  of  a  flap  to  offset  a 
sudden,  unexplained  roll.  When  the  failure  is  identified,  the  best  con¬ 
trol  configuration  given  the  present  circumstances  is  chosen  and  reco¬ 
nfiguration  begins.  Finally,  the  new  control  scheme  is  implemented. 

In  the  present  system,  reconfiguration  will  be  the  easiest  task  the 
KRFCS  must  perform.  When  a  failure  has  been  detected,  the  output  of 
the  ensuing  diagnosis  will  be  the  name  of  the  failure  which  is  most  like¬ 
ly  to  have  occurred  (given  the  background  knowledge  and  failure-time 
information  available  to  the  system).  Reconfiguration  will  involve  look¬ 
ing  in  memory  for  the  pre-calculated  model  and  gains  corresponding  to 
that  failure.  This  implies  that  the  system  contains  in  memory  a  vast 
array  of  models  and  gains,  calculated  off-line,  corresponding  to  every 
conceivable  failure,  or  at  least  to  all  the  failures  the  system  will  be  ex- 
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pected  to  handle.  Questions  of  how  many  failures  to  include  and  what 
resolution  is  necessary  to  ensure  reasonable  handling  qualities  (aileron 
failed  in  increments  of  4  degrees/  or  2  degrees,  or  0.5  degrees,  ...) 
will  be  addressed  in  the  future.  This  FDIR  scheme  is  depicted  in  Fig. 
3. 
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A  more  aesthetically  pleasing  solution  to  the  problem  of  aircraft  fault 
tolerance  would  be  a  restructurable  control  system  which  could  perform 
on-line  parameter  estimation  and  on-line  gain  calculation;  however,  pa¬ 
rameter  estimation  schemes  with  the  required  accuracy  and  speed  remain 
to  be  defined.  Additionally,  a  restructurable  system  stresses  processor 
speed  while  the  reconfigurable  one  presented  stresses  memory.  With 
implementation  a  prime  goal,  it  appears  that  the  "brute  force"  method  of 
pre-calculated  failure  models  and  gains  in  memory  is  more  feasible  at 
the  present  time.  More  comparisons  between  reconfigurable  and  res¬ 
tructurable  control  can  be  found  in  {11}. 

The  problems  of  failure  detection  and  diagnosis  remain.  When  the 
attempt  is  made  to  detect  and  diagnose  all  types  of  failures  (not  simply 
sensor  failures,  as  described  earlier)  it  is  necessary  to  use  all  the  ana¬ 
lytical  redundancy  available,  such  as  that  contained  in  the  mathematical 
model  of  the  aircraft.  The  Generalized  Likelihood  Ratio  (GLR)  Method 
and  the  Multiple-Model  (MM)  Method  {7},  both  summarized  in  Fig.  4, 

are  two  algorithms  that  use  this  redundancy  to  choose  from  a  finite  set 

of  alternatives  the  model  which  best  predicts  the  actual  aircraft  behav¬ 
ior.  In  FDI,  the  set  of  alternatives  would  be  the  set  of  failures  one 
hopes  to  detect  and  identify. 

The  GLR  method  uses  the  innovations  process  from  a  single  nominal 
Kalman  filter  to  calculate  the  likelihood  that  a  given  system  bias  jump 
has  occurred.  For  this  reason,  the  computational  load  is  low,  and  the 
method  quickly  detects  failures.  Because  only  additive  effects  can  be 

modeled,  failures  that  produce  parametric  model  changes  can  not  be 

easily  diagnosed.  Consequently,  the  GLR  method  is  useful  principally 
for  detection  in  our  application. 


FD1  WITH  THE* GENERALIZED  LIKELIHOOD  RATIO  (6LR)  METHOD 

SYSTEM  WITH  BIAS  JUMP  DUE  TO  FAILURE 
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FD1  WITH  THE  MULTIPLE  MODEL  (MM)  ALGORITHM 
EACH  HYPOTHESIZED  FAILURE  HAS  A  KALMAN  FILTER  ASSOCIATED  WITH  IT 
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BAYES  RULE  GIVES  RECURSIVE  FORMULA  FOR  CONDITIONAL  PROBABILITIES 
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Figure  4:  Summary  of  GLR  and  MM  Algorithms 


The  MM  method,  on  the  other  hand,  runs  a  Kalman  filter  for  each  of 
the  failure  hypotheses,  so  it  can  accomodate  parametric  as  well  as  addi¬ 
tive  failures.  It  also  is  tolerant  of  non-Gaussian  noise,  which  may  oc¬ 
cur  in  practice.  Using  Baye's  rule,  the  algorithm  points  to  the  model 
which  best  predicts  aircraft  behavior,  which  is  the  one  the  controller 
and  estimator  should  use  following  a  failure.  The  method  is  slow  at  de¬ 
tecting  failure-induced  model  switches;  therefore,  it  is  used  principally 
for  failure  identification.  One  way  to  accomplish  FDI  would  be  to  first 
detect  a  failure  with  the  GLR  test,  then  run  the  MM  algorithm  to  choose 
the  proper  model  from  the  set  of  all  possible  failure  models. 

The  observations  used  by  the  estimator  are  derived  from  signals 
provided  by  the  Flight  Sensors,  which  are  but  a  subset  of  all  the  sen¬ 
sors  on  the  aircraft.  Auxiliary  Sensors,  which  measure  quantities  such 
as  battery  voltages  and  hydraulic  line  pressures,  can  convey  important 
failure-time  information  ;ind  should  be  included  in  the  FDIR  scheme.  In 
addition  to  the  GLR  test,  the  KRFCS  should  look  at  auxiliary  sensor 
signal  levels  to  see  if  warning  thresholds  have  been  exceeded,  and  at 
transition  rates  to  see  if  the  signal  has  jumped  an  unreasonable  amount 
in  a  given  amount  of  time.  The  flow  chart  for  such  a  system  is  shown 
in  Fig.  5. 

The  KRFCS  will  be  expected  to  handle  many  types  of  failures.  Each 
failure  will  change  the  aircraft  configuration  in  a  unique  way  and  will, 
therefore,  have  a  unique  model  associated  with  it.  If  the  previously- 
mentioned  FDIR  scheme  is  employed,  the  MM  algorithm  will  be  required 
to  choose  among  thousands  of  models.  Although  this  may  be  a  theoreti¬ 
cally  feasible  solution,  it  will  require  an  immense  amount  of  computing 


tus  of  all  aircraft  sensors  and  GLR  test  results  and  give  as  output  a 
"failure  candidate  list"  naming  the  most  probable  failures.  It  is  as¬ 
sumed  that  given  ample  time,  a  human  expert  with  years  of  experience 
in  analyzing  aircraft  failures  would  be  able  to  provide  such  a  service; 
however,  aircraft  failures  are  time-critical  events.  Recognizing  that  the 
speed  and  memory  capabilities  of  modern  digital  computers  could  provide 
a  solution,  it  is  necessary  to  draw  on  the  techniques  of  artificial  intelli¬ 
gence  (Al)  theory. 

7.  THE  ROLE  OF  ARTIFICIAL  INTELLIGENCE 

Artificial  Intelligence  research  attempts  to  make  computers  perform 
tasks  that  require  the  emulation  of  human  intelligence.  Although  this 
research  includes  work  in  areas  such  as  natural  language  understanding 
and  computer  vision,  it  is  the  knowledge-based  system  (KBS)  that  best 
suits  our  purpose.  The  structure  of  a  KBS  is  shown  in  Fig.  6,  as 
seen  in  (12).  An  inference  engine,  that  acts  as  a  reasoning  control 
structure,  combines  facts,  assumptions,  definitions,  and  heuristics 
about  the  world  to  produce  an  answer  to  a  specific  question.  If  the 
reasoning  mechanism  encapsules  the  knowledge  of  a  human  expert,  the 
KBS  is  called  an  expert  system.  The  knowledge-based  reconfigurable 
flight  control  system  will  contain  an  expert  system  that  will  answer  the 
question,  "What  failures  are  most  likely  given  the  following  informa- 
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Figure  6:  Structure  of  a  Knowledge- Based  System 


8.  A  KNOWLEDGE-BASED  RECONFIGURABLE  FLIGHT 
CONTROL  SVSTEM 


s.  The  job  of  the  expert  system  is  to  narrow  down  to  a  reasonable 
number  the  list  of  possible  failures  to  be  tested  by  the  MM  algorithm. 
A  failure  is  detected  when  a  sensor  value  goes  beyond  a  pre-specifiea 
warning  level,  or  if  it  jumps  too  quickly,  or  if  a  state  or  observation 
bias  jump  is  picked  up  by  the  GLR.  This  information  is  then  passed  on 
to  the  expert  system.  With  knowledge  of  the  cause-and-effect  relation¬ 
ships  among  all  aircraft  components  and  failure  diagnosis  rules,  the  ex¬ 
pert  system  decides  which  failures  are  most  likely  to  have  occurred. 
Accordingly,  the  system’s  knowledge  base  can  be  broken  into  two 
parts:  the  Global  Data  Base  (GDB)  and  the  Rules. 


The  global  data  base  contains  status  information  on  aircraft  compo¬ 
nents,  called  "value-data  ",  and  dependencies  between  different  aircraft 
components,  called  "link-data".  Examples  of  value-data  include  real¬ 
time  sensor  signal  levels,  sensor  warning  levels,  estimator  outputs,  and 
component  operational  status.  Link-data  tells  which  sensors  sense 
which  components  or  states,  which  controls  control  which  actuators, 
which  actuators  actuate  which  effectors,  which  effectors  effect  which 
forces  and  moments,  and  which  forces  and  moments  combine  to  influence 
which  states.  It  also  contains  information  on  component  location  in  the 
aircraft  (which  locations  contain  which  components)  and  how  each  com¬ 
ponent  is  supported:  electrically,  hydraulically,  or  otherwise.  The 
framework  of  the  prototype  KRFCS  global  data  base,  which  includes 
only  lateral-directional  effects,  is  shown  in  Fig.  7. 

The  rules  combine  the  facts,  definitions,  and  assumptions  contained 
in  the  GDB  with  heuristic  reasoning  to  diagnose  a  failure.  They  are  in 
the  form  of  "IF  ...  THEN  ..."  productions  which  draw  certain  conclu¬ 
sions  if  certain  conditions  are  met.  The  following  example  illustrates 
the  type  of  rules  the  KRFCS  expert  system  contains. 
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Figure  7:  KRFCS  Global  Data  Base 


Rule  8: 


THEN 


a  sensor  (such  as  an  aileron  position  sensor)  has 
exceeded  its  expected  value 
}  that  sensor  senses  an  effector  (such  as  an  aileron) 
}  no  states  (including  roll  rate)  have  exceeded  their 
expected  values 

a  sensor  failure  is  likely 


Rule  10: 

IF  a  sensor  has  exceeded  its  expected  value 

AND  that  sensor  senses  an  effector 
AND  that  effector  strongly  effects  a  state  which  has 
exceeded  its  expected  value 

THEN  an  effector  failure  is  likely 


-VV-VV  -  Y- 


These  two  rules  show  how  the  expert  system  can  distinguish  be¬ 
tween  a  failed  effector  position  sensor  and  a  failed  effector  whose  posi¬ 
tion  is  sensed.  Both  rules  determine  that  a  failure  is  likely  under  the 
given  circumstances .  This  is  called  "diagnosis  through  validity".  Oth¬ 
er  rules,  labeled  "diagnosis  through  contradiction",  determine  that  a 
certain  type  or  mode  of  failure  is  unlikely.  The  sixteen  rules  used  in 
the  earliest  system  experiments  are  contained  in  Appendix  B. 

Although  the  expert  system  may  contain  many  rules,  only  a  small 
number  of  them  will  be  pertinent  to  a  given  failure  at  a  given  point  in 
the  diagnosis  process.  For  example,  if  a  failure  is  detected  and  no 
state  bias  jumps  were  observed  by  the  GLR  test,  the  expert  system 
should  not  waste  time  testing  rules  that  depend  on  the  existence  of  a 
state  bias  jump  in  order  to  be  true.  The  third  part  of  the  expert  sys¬ 
tem,  the  "rule  interpreters",  provide  the  inference  engine  needed  to 
select  the  appropriate  rules  to  be  tested. 

Note  that  an  advantage  of  this  diagnostic  technique  is  that  the  rules 
do  not  refer  to  individual  aircraft  components.  When  a  failure  is  de¬ 
tected,  the  supervisor  places  the  names  of  the  offending  sensors  (as 
picked  up  by  the  threshold  test)  or  bias  jumps  (as  picked  up  by  the 
GLR  test)  into  special  arrays.  The  rules  and  rule  interpreters  manipu¬ 
late  these  arrays  and  special  "scratch  pad"  memory  stacks  while  carry¬ 
ing  out  the  diagnosis.  As  the  rules  are  executed,  a  running  "score- 
board"  keeps  track  of  the  most  likely  and  unlikely  failure  types  and 
modes,  as  well  as  the  specific  components  involved.  In  this  way  the 
search  for  the  failure  can  be  kept  at  a  high  level  of  abstraction,  and  a 
small  number  of  rules  can  provide  a  great  deal  of  diagnostic  power. 


Rule  14,  which  deals  with  structural  failures,  is  a  good  example  of  this 
(Appendix  B). 

The  Multiple-Model  algorithm  processes  a  number  of  models  and  indi¬ 
cates  which  one  best  predicts  aircraft  behavior.  However,  the  original 
list  of  candidate  failures  handed  to  the  MM  algorithm  from  the  expert 
system  may  not  contain  the  best  model  in  all  of  memory.  For  this  rea¬ 
son,  the  expert  system  must  work  with  the  MM  algorithm.  It  must  con¬ 
stantly  update  the  failure  candidate  list  until  a  model  "close  enough"  to 
the  actual  failure  is  found.  The  knowledge-based  reconfigurable  flight 
control  system,  with  expert  system  included,  is  shown  in  flow  chart  and 
block  diagram  forms  in  Fig.  8  and  9,  respectively. 
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9.  EXPERIMENTAL  SETUP  AND  PRELIMINARY  RESULTS 

Initial  development  has  been  carried  out  using  a  microcomputer  im¬ 
plementation  of  the  KRFCS.  A  4-MHz  Z-80A  8-bit  microprocessor, 

'oused  on  a  Multibus-compatible  Monolithic  Systems  8009  board,  provid¬ 
ed  the  processing  power.  Other  features  included  an  AMD9511  32-bit 
‘ioating  point  math  chip,  a  64K  CP/M  operating  system,  and  a  dual  8-in 
flexible  disk  drive  unit  capable  of  holding  932  Kbytes  of  data.  Pascal/ 
Mf»,  a  microprocessor  version  of  Pascal,  was  chosen  as  the  initial  de¬ 
velopment  language. 


Preliminary  system  testing  required  software  capable  of  performing  3 
functional  tasks:  data  preparation,  flight  simulation,  and  KRFCS  opera¬ 
tion.  The  separate  software  modules  that  were  used  to  accomplish  these 
tasks  are  shown  in  Fig.  10.  After  a  nominal  state-space  model  of  the 
aircraft  was  derived,  the  user  interactively  generated  models  corre¬ 
sponding  to  distinct  aircraft  failures  with  the  Failure  Model  Generator. 
The  Gain  Calculator  then  computed  linear  quadratic  regulator  and  Kal¬ 
man  filter  gains  for  each  failure  model.  These  were  to  be  used  by  the 
KRFCS  controller  and  estimator.  Additionally,  the  rules  and  global  data 
base  were  transformed  into  Pascal  code  by  the  Rule  and  GDB  Encoders. 


KRFCS  operation  was  carried  out  with  the  Dynamic  Simulator.  This 
program  received  the  nominal  model  and  a  failure  model  as  input.  It 
performed  a  deterministic  linear  simulation  of  the  nominal  aircraft  model 
until  the  user  induced  the  failure.  When  the  GLR  Tester  picked  up  the 
model  switch,  it  declared  a  failure  and  set  failure  flags  to  be  read  by 
the  Expert  System  Simulator.  With  the  failure  flags,  global  data  base, 
and  rules,  the  Expert  System  Simulator  showed  the  user  each  step  of 
the  diagnostic  process.  Its  output  was  a  Failure  Candidate  Scoreboard 
which  gave  failure  type  and  component  scores,  indicating  which  failure 
models  should  have  been  tested  by  the  multiple-model  algorithm.  The 
MM  portion  of  the  system  had  not  yet  been  constructed. 

These  preliminary  tests  have  provided  useful  information  concerning 
the  best  performance  to  be  expected  from  the  GLR  test,  as  well  as  its 
required  computation  time.  It  was  found  that  in  a  deterministic  setting 
the  simplified  generalized  likelihood  ratio  test  was  very  good  at  failure 
detection.  Detection  usually  occurred  in  one  sampling  interval  of  0.1 
sec,  even  with  failures  involving  parametric  model  changes  for  which 
the  GLR  test  is  not  intended. 

The  simplified  GLR  test  reduced  computation  time  by  assuming  that 
specific  bias  jumps  had  occurred.  However,  the  preliminary  implemen¬ 
tation  was  far  too  slow  for  real-time  execution.  A  3-sec  moving  win¬ 
dow,  which  looked  back  in  time  for  signs  that  a  failure  had  occurred, 
required  30  secs  computation  time  per  0.1  sec  sampling  interval.  Al¬ 
though  300  times  too  slow  with  the  present  hardware,  this  detection  ap¬ 
proach  will  run  much  faster  using  newer  microprocessors,  parallel  pro¬ 
cessing,  and  revised  software. 


10.  CONCLUSIONS 


A  knowledge-based  flight  control  system  capable  of  detecting,  iden¬ 
tifying,  and  reconfiguring  for  a  wide  range  of  aircraft  failures  has  been 
designed.  Analytical  redundancy  techniques,  including  a  Generalized 
Likelihood  test,  are  used  for  failure  detection.  Failure  diagnosis  is 
performed  by  an  expert  system.  Utilizing  knowledge  of  cause-and-ef- 
fect  relationships  between  all  aircraft  components  and  the  statistical  re¬ 
sults  of  a  Multiple-Model  algorithm,  the  expert  system  decides  which 
aircraft  component  has  failed  and  how  to  reconfigure  for  the  failure. 

Results  of  preliminary  tests  indicate  that  effective  failure  detection 
within  a  deterministic  environment  can  be  obtained  with  the  analytical 
methods  proposed.  Additionally,  the  expert  system  can  identify  simple 
failures  with  its  very  limited  knowledge  base.  However,  many  modifica¬ 
tions  to  the  expert  system  remain  to  be  made.  The  system  is  more 
properly  called  a  production  system,  in  that  when  a  failure  is  detected, 
the  16  diagnostic  rules  are  fired  in  succession.  No  rule  interpreters 
presently  exist  to  provide  a  search  control  structure.  Future  versions 
will  include  this  inference  engine,  thus  giving  the  KRFCS  a  true  expert 
system. 

Most  of  the  work  performed  to  date  has  involved  development  of  the 
basic  idea  behind  the  KRFCS  and  the  utility  routines  needed  to  build 
it.  Future  software  to  be  incorporated  into  the  existing  system  in¬ 
cludes  coding  of  the  Multiple-Model  algorithm  and  the  communication 
module  linking  it  with  the  expert  system.  However,  because  memory 
requirements  will  soon  outgrow  the  capabilities  of  an  8-bit  machine,  the 
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next  few  research  objectives  are  centered  around  the  transition  to 
16-bit  machines.  The  work  schedule  can  be  outlined  chronologically  as 
follows. 


Adapt  KRFCS  to  distributed  processing  environment 

Break  the  KRFCS  into  functional  modules.  Minimize  the  re¬ 
quired  amount  of  inter-module  communication  and  standard¬ 
ize  communication  protocol.  Modular  design  will  permit  the 
implementation  of  different  languages,  such  as  using  LISP 
for  the  expert  system. 

Select  implementation  hardware  and  software  language 

Determine  number  and  type  of  boards  needed  for  modular 
KRFCS.  Choose  operating  system  and  run-time  software 
package. 

Taylor  existing  software  to  new  machine 

Implement  modular  KRFCS  architecture  by  modifying  exist¬ 
ing  programs.  Translate  all  system  software  into  new  run¬ 
time  language. 

Construct  stochastic  nonlinear  simulator 

Simulation  of  aircraft  dynamics  including  failures  is  to  be 
performed  on  a  machine  physically  independent  of  the 
KRFCS,  e.g.,  an  analog  or  general-purpose  digital  comput¬ 
er. 

Hybrid  simulations  and  software  development 

Develop  KRFCS  components,  including  expert  system  GDB, 
rules,  and  rule  interpreters,  within  the  realistic  environ¬ 
ment  provided  by  the  nonlinear  simulator. 


Important  issues  need  to  be  addressed  in  the  near  future.  These 
include  diagnosis  of  complicated  failures,  false  alarm  rate,  overall 
speed,  transient  response  of  the  aircraft,  and  varying  nominal  flight 
conditions.  However,  if  these  problems  can  be  resolved,  the  KRFCS 
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Appendix  A 

STATE  SPACE  FORMULATION 


The  controller  and  estimator  of  the  fly-by-wire  flight  control  system 
contain  gains  derived  from  a  linear  mathematical  model  of  the  aircraft. 
The  Generalized  Likelihood  Ratio  and  Multiple-Model  algorithms  of  the 
KRFCS  utilize  linear  models  as  well.  Linearization  begins  with  a  nonli¬ 
near  model  representing  the  aircraft  kinematics  and  dynamics  as  shown 
below.  Note  that  the  matrix  notation  uses  subscripts  and  superscripts 
to  relate  inertial  axes  and  body  axes  where  appropriate. 

NONLINEAR  EQUATIONS  OF  MOTION 
TRANSLATIONAL  KINEMATICS  x,  -  vb 

ROTATIONAL  KINEMATICS  VB  *  L^ui* 

TRANSLATIONAL  DYNAMICS  yB  -  (£B  ♦  T^/w*  H®  -w’  vfi 

ROTATIONAL  DYNAMICS  U)£  ■=  l*1  (fJB  ♦  GB)  -  l„y‘ 


INERTIAL  POSITION  EULER  ANGLE  BODY-AXIS  TRANSLATIONAL  BODY  ANGULAR 

VECTOR  VECTOR  RATE  VECTOR  RATE  VECTOR 


STATE  EQUATION  FORM 


The  nonlinear  nominal  and  linear  perturbation  equations  are  obtained 
by  expanding  the  state  equation  in  a  Taylor  series  about  some  nominal 
trajectory.  Because  the  flight  control  computer  can  move  the  control 
surfaces  only  at  discrete  instances  in  time,  a  zero-order  hold  with  fixed 
sampling  interval  is  assumed.  A  linear  discrete-time  state  equation  re¬ 
sults. 


LINEAR  EQUATIONS  OF  MOTION 


X  =  Xq  +  AX 


=  uQ)  + 
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+  3-i 
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-  sy 
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ay  +  H.O.T. 
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NOMINAL  TRAJECTORY 


i  =  £(x0,y0) 


-o 


PERTURBATIONS  ABOUT  NOMINAL  TRAJECTORY 
fix  =  F  ax  +  Gou 


SAMPLED  DATA  SYSTEM 


ASSUME  FIXED  SAMPLING  INTERVAL  a  AND  PIECEWISE  CONSTANT  INPUT: 
u(t)  *  ufk))  £  (k  +  l)a 


DISCRETE-TIME  STATE  EQUATION 

&(k  +  1)  =$x(k)  +  ru(Yc) 
$  =  exp  (Aa) 


r=  (  [exp  (At)]  dr  'G 


The  state-space  model  is  composed  of  the  state  equation  and  obser¬ 
vations  provided  by  flight  sensors.  In  order  to  closely  represent  the 
dynamics  of  an  aircraft,  however,  deterministic  biases  and  noise  se¬ 
quences  must  be  added.  Noise  enters  the  state  equation  through  dis¬ 
turbances  such  as  turbulence,  and  biases  enter  through  failures  that 
cause  parametric  model  changes.  Similarly,  sensor  failures  cause  noise 
and  bias  changes  in  the  observation  equation. 


STOCHASTIC  DYNAMIC  SYST01 


STATE  EQUATION 

x(K+l)  =$x(k)  +puOO  +  ^(k)  +w(k) 

OBSERVATION  EQUATION 

y(k)  =  Hx  x(VO  +  b(K)  +  v(k) 


AIRCRAFT  DYNAMICS 


OBSERVATIONS 


The  controller  steady-state  feedback  gains  can  be  derived  by  any 
pole  placement  technique,  including  linear  quadratic  regulator  theory. 
Feedforward  gains  associated  with  pilot  inputs  can  be  computed  from  the 
desired  non-zero  set  point  and  equilibrium  response.  The  state  estima¬ 
tor,  on  the  other  hand,  is  a  Kalman  Filter.  It  first  predicts  the  pres¬ 
ent  state  by  propagating  the  state  equation  to  the  next  sampling  inter¬ 
val.  Then,  it  subtracts  the  measured  observations  from  those  that 
would  result  from  the  predicted  state.  Finally,  the  filter  uses  this  new 
information  to  update  the  state  prediction.  In  this  way,  the  filter  helps 
reduce  the  effect  of  modeling  errors  on  state  estimation  accuracy. 


CONTROLLER  AND  ESTIMATOR 

CONTROLLER  EQUATION 

uOO  =  -C  x(k|k)  +  CpUp(K) 

ESTIMATOR  EQUATIONS  (KALMAN  FILTER) 

PREDICTED  ESTIMATE  x(K+llK)  =  4>  £{Kjk)  +ryOO  +  3OO 
INNOVATIONS  PROCESS  ^CK+1)  =  ^(k+l)  -  Hx  x(k+l|k)  -b(k) 
FILTERED  ESTIMATE  x(k+l  |  K+l)  =  x (k+l Ik)  +  K  l(k+l) 

ESTIMATOR  GAINS  CALCULATED  OFF-LINE  FROM 
P(k+llk)  =<$P(kik)§T  +  Q 

V(k+1)  =  HxP(k+l|k)  Hj  +  R 
K(k+1)  =  P(k+1N  H l  V“1(k+1) 

P(k+l|k+l)  =  P (k+l Ik)  +  K(k+1)  Hx  P(k+llk) 


WHERE 


P(k|K)  =  COVARIANCE  OF  ERROR  x(k)  -  x(*|k) 

V(k)  =  COVARIANCE  OF  ZERO-MEAN,  WHITE  GAUSSIAN  INNOVATIONS  *  (k) 
K  =  ESTIMATOR  GAINS 


When  the  controller  and  estimator  are  combined  with  the  origma 
ear  stochastic  system,  a  closed-loop  dynamic  system  is  produced, 
closed-loop  system  forms  the  basis  for  KRFCS  development. 


CLOSED-LOOP  DYNAMIC  SYSTEM 

AIRCRAFT  DYNAMICS  OBSERVATIONS 


Appendix  B 

FAILURE  DIAGNOSIS  RULES 


The  KRFCS  expert  system  uses  rules  and  a  global  data  base  to  di¬ 
agnose  aircraft  failures.  It  narrows  down  to  a  reasonable  number  the 
candidate  failures  to  be  tested  by  the  multiple-model  algorithm.  The 
following  sixteen  rules  were  used  in  preliminary  expert  system  testing. 
In  order  to  illustrate  how  the  rules  use  "scratch  pad”  memory  stacks 
and  the  SET  and  PROCEDURE  features  of  Pascal  during  failure  diagno¬ 
sis,  the  source  code  for  Rule  14  is  included. 


Rule  5:  Flight  Sensor  Soft  Validity  via 

Observations,  Sensors,  and  States 

IF  an  observation  is  flagged  (from  GLR  test) 

AND  no  flight  sensors  are  flagged  (from  threshold  test) 
AND  no  auxiliary  sensors  are  flagged  (from  threshold  test) 
AND  no  states  are  flagged  (from  the  GLR  test) 

THEN  a  flight  sensor  soft  failure  (i.e.  bias  drift) 

is  likely 


Rule  6: 

IF 

THEN 

Rule  7: 
IF 

THEN 

Rule  8: 

IF 

THEN 

Rule  9: 

IF 

THEN 


Flight  Sensor  Hard  Validity  via 
Observations  and  Sensors 

an  observation  is  flagged 

AND  a  flight  sensor  used  for  that  observation  is  flagged 
AND  all  other  sensors  are  not  flagged 

a  flight  sensor  hard  failure  is  likely 


Control  Sensor  Flag  Status 

an  auxiliary  sensor  is  flagged 
AND  that  sensor  senses  a  control 

an  auxiliary  sensor  failure  is  likely 
AND  a  support  failure  is  likely 


Effector  Sensor  Validity  via 
States 

an  auxiliary  sensor  is  flagged 
AND  that  sensor  senses  an  actuator/ effector 
AND  no  states  are  flagged 

an  auxiliary  sensor  failure  is  likely 
AND  a  support  failure  is  likely 


Structural  and  State  Disturbance  Validity  via 
Sensors 

a  state  is  flagged 
AND  the  flight  sensors  are  OK 
AND  the  auxiliary  sensors  are  OK 

a  state  disturbance  failure  is  likely 
AND  a  structural  failure  is  likely 


Rule  10:  Effector  Validity  via 
Sensors  and  States 


IF 

THEN 

Rule  15: 

IF 

THEN 

Rule  16: 

IF 


a  state  is  flagged 
AND  the  flight  sensors  are  OK 

AND  auxiliary  sensors  that  sense  actuators/effectors 
effecting  the  flagged  state  exist  and  are  flagged 

an  actuator/effector  failure  is  likely 


Common  Support  Validity  via 
Sensors  and  Effectors 

the  support  common  to  all  the  flagged  sensors 
supports  no  non-flagged  sensor 
AND  it  either  supports  no  actuator/effector 

OR  it  supports  an  actuator  that  effects 
a  flagged  state 

a  support  failure  is  likely 


Common  Location  Validity  via 
Sensors  and  Effectors 

the  location  common  to  all  the  flagged  sensors 
contains  no  non-flagged  sensor 
AND  it  either  contains  no  actuator/effector 

OR  it  contains  an  actuator/effector  that  effects 
a  flagged  state 


THEN 


a  structural  failure  is  likely 


Diagnosis  Through  Contradiction 


Rule  1: 
IF 

THEN 

ELSE 

Rule  2: 
IF 

THEN 

ELSE 

Rule  3: 
IF 

THEN 

ELSE 

Rule  4: 

IF 


Flight  Sensor  Flag  Status 

no  observations  are  flagged 
AND  no  flight  sensors  are  flagged 

a  flight  sensor  failure  is  unlikely 
AND  the  flight  sensors  are  OK 

the  flight  sensors  are  not  OK 


Auxiliary  Sensor  Flag  Status 

no  auxiliary  sensors  are  flagged 

an  auxiliary  sensor  failure  is  unlikely 
AND  the  auxiliary  sensors  are  OK 

the  auxiliary  sensors  are  not  OK 


State  Disturbance  Flag  Status 

no  states  are  flagged 

a  structural  failure  is  unlikely 
AND  a  state  disturbance  failure  is  unlikely 
AND  an  actuator/effector  failure  is  unlikely 
AND  the  states  are  OK 

the  states  are  not  OK 


State  Disturbance  Contradiction  via 
Sensors  and  Observations 

a  state  is  flagged 

AND  an  observation  is  flagged 

OR  a  flight  sensor  is  flagged 
OR  an  auxiliary  sensor  is  flagged 


THEN 


a  state  disturbance  failure  is  unlikely 


Rule  11:  Common  Support  Contradiction  via 
Sensors 

IF  the  support  common  to  all  the  flagged  sensors 

supports  a  non-flagged  sensor 

THEN  a  support  failure  failure  is  unlikely 


Rule  12:  Common  Support  Contradiction  via 
Effectors 

IF  the  support  common  to  all  the  flagged  sensors 

supports  an  actuator/effector  that  effects  a 
a  non-flagged  state 

THEN  a  support  failure  is  unlikely 


Rule  13:  Common  Location  Contradiction  via 
Sensors 

IF  the  location  common  to  all  the  flagged  sensors 

contains  a  non-flagged  sensor 

THEN  a  structural  failure  is  unlikely 


Rule  14:  Common  Location  Contradiction  via 
Effectors 

IF  the  location  common  to  all  the  flagged  sensors 

contains  an  actuator/effector  that  effects  a 
non-flagged  state 


THEN 


a  structural  failure  is  unlikely 


procedure  Rule14; 
begin 

if  ((anyFlagged(fltSensors)  or  anyFlagged(auxSensors) ) 
and  common ( locations , f ItSensors , forwrd , 0) 
and  common(locations,auxSensors, forwrd,  1) 
and  a reRelatedTo(actEffectors, locations, backwrd) 
and  a  reRelatedTo  (states,  act  Effectors,  backwrd) 
and  not(stackFlagged(states))) 
then 

begin 

ruletrue:=  true; 
score(strucFail,  -1 ) 

end 

end;  {  Rule  14  } 


Forward  chaining  search  (looking  for  IF  part  to  be  true) 
checks  if  the  "condition  set"  contains  these  set  elements: 

@fltSNotOK  {  flight  sensors  not  OK  } 
@auxSNotOK  {  auxiliary  sensors  not  OK  ) 


Backward  chaining  search  (trying  to  prove  THEN  part  is  true) 
checks  if  the  "action  set"  contains  this  set  element: 

@strucScore  {  structural  failure  score  affected  } 
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